Difference between revisions of "OpenStack: Install RabbitMQ Message Broker"

yum -y install rabbitmq-server
systemctl start rabbitmq-server

rabbitmqctl delete_user guest
rabbitmqctl add_user rabbitmqauth redhat
rabbitmqctl set_permissions rabbitmqauth ".*" ".*" ".*"
rabbitmqctl set_user_tags rabbitmqauth administrator
rabbitmqctl list_users

mkdir /etc/rabbitmq/testca
cd /etc/rabbitmq/testca
mkdir certs private
chmod 700 private
echo 01 > serial
touch index.txt

wget -P /etc/rabbitmq/testca/ http://classroom.example.com/materials/openssl.cnf
[root@server2-a ~]# cat /etc/rabbitmq/testca/openssl.cnf 
[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha1
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
openssl x509 -in cacert.pem -out cacert.cer -outform DER

mkdir -p /etc/rabbitmq/server
cd /etc/rabbitmq/server
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server= -nodes

mkdir -p /etc/rabbitmq/client
cd /etc/rabbitmq/client
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=client/ -nodes

cd ../testca/
openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions client_ca_extensions
cd ../server
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

cd ../testca/
openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
cd ../client/
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

cd
wget -P /etc/rabbitmq/ http://classroom.example.com/materials/rabbitmq.config
[root@server2-a ~]# cat /etc/rabbitmq/rabbitmq.config 
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/etc/rabbitmq/testca/cacert.pem"},
{certfile,"/etc/rabbitmq/server/cert.pem"},
{keyfile,"/etc/rabbitmq/server/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].

firewall-cmd --add-port=5672/tcp --permanent
firewall-cmd --add-port=5671/tcp --permanent
firewall-cmd --reload
systemctl restart rabbitmq-server

[root@server2-a ~]# netstat -nlp | grep 567
tcp6       0      0 :::5671                 :::*                    LISTEN      2745/beam.smp       
tcp6       0      0 :::5672                 :::*                    LISTEN      2745/beam.smp

systemctl enable rabbitmq-server